VSCode Remote SSH for On-Call

Remote SSH editing on production hosts.

Usage

VSCode Remote SSH lets engineers edit files on remote machines as if they were local. The discipline is using it productively while respecting the production safety implications that come with making remote edits feel local.

• Open SSH host directly. The Remote SSH extension connects to any SSH host. VSCode runs locally; the workspace and language server run on the remote.
• Full VSCode on remote files. Edit, save, terminal, debugger all work on remote files. The discipline produces a familiar editing experience without copying files locally.
• SSH config integration plus multi-host. Remote SSH uses ~/.ssh/config; existing aliases and ProxyJump work. Different VSCode windows connect to different hosts simultaneously when the engineer works across environments.
• Host-specific workspace settings. Settings can be per-host. Different hosts can have different extension sets or configurations; the discipline accommodates host-specific needs without polluting the local profile.

Careful

Remote SSH on production hosts is powerful and risky. The discipline includes recognising the implications and writing them down rather than relying on engineer caution.

• Remote editing on prod is risky. Direct file edits on production hosts bypass the deploy pipeline. Changes are not in version control; the system drifts in ways that surface during the next outage.
• Read-only by preference. When investigating production, read-only access is the default. The team investigates without modifying; the production state is preserved for forensics.
• Write only when explicitly required. Writes to production should be deliberate and documented. Emergency fixes and specific approved changes only; ad-hoc modification is the discipline's failure mode.
• Staging for development; documented policy. Development and testing use non-production hosts. The team's policy on remote production editing is written down so engineers know when it is acceptable.

Audit

Remote work needs audit trails. Combined with bastion logging, the discipline produces compliance-ready evidence rather than gaps that auditors find at the worst moment.

• SSH session logs. The SSH session captures the connection. Bastion logs record access; the audit trail covers connection time, source, and destination.
• Bastion content recording. The bastion records session content. Compliance reviews have access to the actual commands run rather than just connection metadata.
• Per-engineer attribution. The audit trail attributes work to specific engineers. Accountability is preserved without relying on shared keys or rotated accounts.
• Retention plus documented setup. Audit logs are retained per the team's policy and the audit setup is documented. Compliance discussions reference the documentation rather than rebuilding the picture each audit cycle.

VSCode Remote SSH is one of those development productivity tools that benefits from disciplined use. Nova AI Ops integrates with infrastructure access tools, complementing the engineer's productivity with cluster-wide visibility.